Recent observations on compliance
By saragates on Mar 02, 2006
So last time I talked about the "p" word and how we move forward in a meaningful way in talking about policy. I heard from Sun's Robin Wilton who is active with Liberty Alliance and he told me that at a recent working session of the Liberty Alliance a discussion occurred around "drawing the distinction between public (i.e. government) policy as a driver of privacy issues, and enterprise 'business' policy as another influence on the same matters." Good to know that smart people like Robin and the Liberty folks are working to drive much-needed clarity. I look forward to learning more about the work that's underway. I hear Liberty is working on standard legal and policy (did I say the "p" word?) agreements that can act as a baseline agreement for companies wrestling with things like indemnification across federated domains.
A lot of conversations that I am having these days with companies are about implementing technology to help automate compliance processes and make responding to audit requests easier. One company we talked to last year told us a story that at the time seemed hard to believe, but I now see it happening in every public company: this Fortune 100 company had spent 50 man months doing 1 -- ONE! -- audit across their so-called Sarbanes applications (apps with sensitive data on which access must be well controlled). 50 man months checking for separation-of-duty problems across 35 applications. That's 50 man months they were not focused on getting their partner portal launched, updating their ERP system, etc. because they were manually checking for access-control related risks that could lead to bad things happening. It's a common story.
Here are my observations on compliance:
It's happening around the globe. Every country (well, a lot of countries) and a lot of federal governments have Sarbanes-like legislation/regulation out or in the works. As I am out around the world the topic comes up everywhere -- from federal governments across the globe (think HSPD-12) to legislation affecting publicly traded companies (think Sarbanes, HIPPA, BASEL II) there are movements afoot to drive better control and security for consumers, citizens, patients and ultimately shareholders.
It's actually good for us. For years I drove without a seatbelt even though I knew I was better off (safer) by wearing one. It wasn't until the law in my state changed and threatened a fine for non-compliance, that I changed my behavior. Again, even though I knew I was safer if I wore a seat belt, I chose not to. Now, many years later, wearing a seat belt is just part of driving, I don't think about it, I just buckle up. That's how I see a lot of the "compliance" work being done at companies (Sun as well) and federal agencies these days to get better controls in place. We SHOULD be able to see and approve who-has-access-to-what. We SHOULD be able to quickly do forensics by identity if something goes wrong. We SHOULD be able to control access to critical applications so that bad, unintended things do not happen. Our companies are better off as their risk is lowered with good controls in place. As individuals with 401Ks, we are better off as the risk of Enron/WorldCom -- grade failures are lowered. And it's good as this new baseline of control has to be in place for our economy/our businesses to safely face the next wave of growth (think Web 2.0).
In five years we won't talk about it anymore. It will just be how we run our businesses. I look forward to this day. This will be a boon to the printing and marketing industry as every vendor everywhere on the planet will have to revise their collateral to talk about something else. Any predictions on what the new bandwagon will be?